06/01/14 16:58, intrigeri wrote: > sorry for the delay, and sorry in advance for the bad mood that > probably impacts this email, I'm a bit grumpy today.
:) > anonym wrote (31 Dec 2013 00:45:51 GMT) : >> 30/12/13 13:48, intrigeri wrote: >>> anonym wrote (29 Dec 2013 21:21:35 GMT) : >>>> 27/12/13 18:05, intrigeri wrote: >>>> Approach 1 >>>> ---------- >>> >>>> A seemingly obvious fix would be to move the fail-safe from its current >>>> location, tails-unblock-network, into tails-spoof-mac, which is run by >>>> the MAC spoofing udev hook when network devices are added. The fail-safe >>>> would then act on a per-device basis, and it would be closer to the >>>> spoofing, which both are nice (bonus: the problem you raised about >>>> "macchanger can't retrieve the permanent MAC address" would be really >>>> easy to fix). >>> >>> I like this approach, and I hope we can make it work fine. Let's see. [...] Let's just drop all these sub-discussions. I'm in complete agreement with you now. Approach #1 it is! >> Hmm. I just think I came up with a fix that makes Approach #1 robust (it >> can be used for Approach #2 too, but it doesn't make as much sense): we >> use ferm/iptables to drop all outgoing traffic from interfaces that have >> not been explicitly said to be "ok" by the fail-safe code. [...] > I'm not convinced that this added code, design complexity, and thus > difficulty to audit is more likely to protect our users than the lack > of it. AIUI, the only bonus is for a corner case, which the potential > drawbacks are for everybody. Agreed. Looking back at all this I don't know what I was thinking. I'm honestly sorry for having forced you through all this crap. > But perhaps I just want to see this branch merged ASAP in some > acceptable state, and am starting to get tired of thinking about it. > The current state + a few documented known issues + the small fixes > I've asked for a while ago, would be already much better than what our > users have in hand right now. All this is done, as per my other replies. I've also implemented approach #1 and fixed #6552. See commits 7b7ba02d..e85b325. It's all pushed into feature/mac-spoof, both Tails and Greeter repos, and I've built a new Tails Greeter snapshot, uploaded it, and merged the feature branch + APT suite into experimental. In summary, tickets #6552, #6540, #6550, #6111 and #6541 are now in your court. :) Cheers! _______________________________________________ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
